The documentation for PDO::quote [0] says that a processed string is "theoretically safe to pass into an SQL statement". Understandably, prepared statements should be preferred when possible. But I need to change some stuff where integrating them is impossible, and some values must be securely embedded into a query string.
There's only one stated problem of PDO::quote that could result in a SQL injection: When the charset has not been set for the connection. But as warned by the documentation, this will be guaranteed. Neither mysql_real_escape_string [1] nor pg_escape_literal [2] which escape values for embedding into SQL query strings have a note about being only *theoretically* safe. Only PDO::quote has such a warning. * Is there any reason PDO::quote should be less safe than mysql_real_escape_string or pg_escape_literal for embedding values in SQL queries? * Is it just written in a very security-centric way so anyone sticks to prepared statements? Although e.g. Wordpress is not known for the cleanest code, mysql_real_escape_string has been used for years without any known problems. [0] https://www.php.net/manual/en/pdo.quote.php [1] https://www.php.net/manual/en/function.mysql-real-escape-string [2] https://www.php.net/manual/en/function.pg-escape-literal.php
